IEC Functional Safety Assessment

Transcription

1 IEC Functional Safety Assessment Project: Micro Motion Series 1700/2700 Flowmeters with Standard or Enhanced Core Company: Micro Motion, Inc. Emerson Boulder, Colorado USA Contract No.: Q17/ Report No.: EMM 08/04-67 R005 Version V2, Revision R1, May 1, 2017 John Yozallinas - Gregory Sauk The document was prepared using best effort. The authors make no warranty of any kind and shall not be liable in any event for incidental or consequential damages in connection with the application of the document. All rights reserved.

2 Management Summary This report summarizes the results of the Functional Safety Assessment according to IEC carried out on the: Micro Motion Series 1700/2700 Flowmeters with Standard 700 Core Processor Micro Motion Series 1700/2700 Flowmeters with Enhanced 800 Core Processor The Functional Safety Assessment performed by exida consisted of the following activities: - exida assessed the development process used by Micro Motion, Inc. through an audit and review of a detailed safety case against the exida certification scheme which includes the relevant requirements of IEC The assessment was executed using subsets of the IEC requirements tailored to the work scope of the development team. - exida reviewed and assessed a detailed Failure Modes, Effects, and Diagnostic Analysis (FMEDA) of the devices to document the hardware architecture and failure behavior. - exida reviewed field failure data to verify the accuracy of the FMEDA analysis. exida reviewed the manufacturing quality system in use at Micro Motion, Inc. The functional safety assessment was performed to the SIL 3 requirements of IEC 61508:2010. A full IEC Safety Case was prepared, using the exida SafetyCaseDB tool, and used as the primary audit tool. The Enhanced Core Processor is an upgrade to the previously certified 1700 and 2700 Coriolis Flow and Density Transmitters with the 700 Core Processor. This assessment took into consideration the previous assessment, changes and additions to the product, enhancements to the development process, and the process requirements to implement these changes. The results of the Functional Safety Assessment can be summarized by the following statements: The audited development process, as tailored and implemented by the Micro Motion Series 1700/2700 Flowmeters development project, complies with the relevant safety management requirements of IEC SIL 3. This means that the Series 1700/2700 Flowmeters with either the 700 or 800 Core are capable for use in SIL 3 applications in Low or High demand mode when properly designed into a Safety Instrumented Function per the requirements in the Safety Manual and when using the versions specified in this document. The manufacturer will be entitled to use the Functional Safety Logo. T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 2 of 25

3 Table of Contents Management Summary Purpose and Scope Project Management exida Roles of the parties involved Standards / Literature used Reference documents Documentation provided by Micro Motion, Inc Documentation generated by exida Product Description IEC Functional Safety Assessment Scheme Methodology Assessment level Results of the IEC Functional Safety Assessment Lifecycle Activities and Fault Avoidance Measures Functional Safety Management Safety Requirements Specification and Architecture Design Hardware Design Software Design Validation Verification Modifications User documentation Proven in Use Hardware Assessment IEC Functional Safety Surveillance Audit Roles of the parties involved Surveillance Methodology Documentation provided by Micro Motion, Inc Surveillance Documentation generated by exida Surveillance Results Procedure Changes Engineering Changes Impact Analysis Field History Safety Manual FMEDA Update T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 3 of 25

4 6.3.7 Evaluate use of certificate and/or certification mark Previous Recommendations Additional Manufacturing locations Assessed Configurations / Versions Terms and Definitions Status of the document Liability Releases Future Enhancements Release Signatures T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 4 of 25

5 1 Purpose and Scope This document shall describe the results of the IEC functional safety assessment of the: Micro Motion Series 1700/2700 Flowmeters with Standard 700 Core Processor Micro Motion Series 1700/2700 Flowmeters with Enhanced 800 Core Processor by exida according to the accredited exida certification scheme which includes the requirements of IEC 61508: The purpose of the assessment was to evaluate the compliance of: - the Micro Motion Series 1700/2700 Flowmeters with the technical IEC and -3 requirements for SIL 3 and the derived product safety property requirements and - the Micro Motion Series 1700/2700 Flowmeters development processes, procedures and techniques as implemented for the safety-related deliveries with the managerial IEC , -2 and -3 requirements for SIL 3. and - the Micro Motion Series 1700/2700 Flowmeters hardware analysis represented by the Failure Mode, Effects and Diagnostic Analysis with the relevant requirements of IEC The assessment has been carried out based on the quality procedures and scope definitions of exida. The results of this assessment provide the safety instrumentation engineer with the required failure data per IEC / IEC and confidence that sufficient attention has been given to systematic failures during the development process of the device. 1.1 Tools and Methods used for the assessment This assessment was carried by using the exida Safety Case tool. The Safety Case tool contains the exida scheme which includes all the relevant requirements of IEC For the fulfillment of the objectives, expectations are defined which builds the acceptance level for the assessment. The expectations are reviewed to verify that each single requirement is covered. Because of this methodology, comparable assessments in multiple projects with different assessors are achieved. The arguments for the positive judgment of the assessor are documented within this tool and summarized within this report. The assessment was planned by exida and agreed to with Micro Motion, Inc.. All assessment steps were continuously documented by exida (see [R1] to [R9]). T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 5 of 25

6 2 Project Management 2.1 exida exida is one of the world s leading accredited Certification Bodies and knowledge companies specializing in cybersecurity, automation system safety and availability with over 400 years of cumulative experience in functional safety. Founded by several of the world s top reliability and safety experts from assessment organizations and manufacturers, exida is a global company with offices around the world. exida offers training, coaching, project oriented system consulting services, safety lifecycle engineering tools, detailed product assurance, cyber-security and functional safety certification, and a collection of on-line safety and reliability resources. exida maintains a comprehensive failure rate and failure mode database on process equipment based on 250 billion unit operating hours of field failure data. 2.2 Roles of the parties involved Micro Motion, Inc. exida exida Manufacturer of the Coriolis Flowmeter with 1700 / 2700 Transmitter Performed the hardware assessments [R1] and [R2] Performed the IEC Functional Safety Assessment Micro Motion, Inc. contracted exida in September 2008 with the IEC Functional Safety Assessment and certification renewal of the above mentioned devices. 2.3 Standards / Literature used The services delivered by exida were performed based on the following standards / literature. [N1] IEC (Parts 1-7): 2010, 2 nd ed. Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems 2.4 Reference documents Note: Documents revised after the initial audit are listed in 2017 IEC Functional Safety Surveillance Audit Documentation provided by Micro Motion, Inc. [D1] SafetyCaseDB IEC61508 FSM.esc 1700/2700 Transmitter SafetyCaseDB [D2] CP 18, Rev I Control Procedure 18 - Product Development & Design Control [D3] ER , Rev 0.4, 7/8/08 [D4] 800 CRDO, Rev 0.4, 11/5/2004 [D5] MMI SIL 2700 SASRD_0 2.doc, Rev S Series Project Development Plan Model 800 Enhanced Core Processor Customer Requirements Document 1700 / 2700 Coriolis Flowmeter System Architecture and Safety Requirements Specification T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 6 of 25

7 [D6] LWI 133, Rev B Local Work Instruction System, Architecture and Safety Requirements Guidelines [D7] LWI 127, Rev F Local Work Instruction Requirements Management Procedure [D8] LWI 132, Rev C Local Work Instruction Software and Embedded System Project Planning [D9] LWI 129, Rev B Local Work Instruction Embedded Software Development Procedure [D10] LWI 23, Rev F Local Work Instruction 23 - Software Development Process [D11] LWI 188, Rev A Local Work Instruction C and C++ Coding Guideline [D12] LWI 126, Rev D Local Work Instruction Software Quality Assurance Audits Procedure [D13] LWI , 9/26/08 Completed Embedded Development Project Audit Checklist (per LWI 126) [D14] LWI 24, Rev F Local Work Instruction 24 - Product Development Configuration Management [D15] LWI 130, Rev B Local Work Instruction Product and Process Reviews [D16] LWI 31, Rev C Local Work Instruction 31 - Inspection and Test Equipment Calibration [D17] CP 36, Rev G Control Procedure 36 - ECR/ECO Procedure (Engineering Change Request) [D18] ER , Rev A.3, 8/8/ Series SRS (Software Requirement Specification) [D19] 80xSDD, Rev 0.4, 1/29/07 80x Series Software Design Description (SDD) [D20] 80xSDD_Minutes_rev0_1.d oc Software Design Document Review Minutes [D21] ER , Rev K 2400/ECP Enhanced Core Processor Software Release history [D22] ECR Sample ECR showing the SIL requirements [D23] CP58, Rev F Control Procedure 58 - Stop / Resume Ship Procedure [D24] CP 58-F1 Stop Ship Authorization Form [D25] CP 5 Product Safety.doc, Rev E Control Procedure 5 - Product Safety [D26] LWI 26 Local Work Instruction 26 - Checklist for Safety [D27] CP 36-A9, Rev A SIL Impact Analysis Worksheet (CP36 Attachment 9) [D28] [D29] ECP800 Version 342 TB Rev 1.doc 2700 SIL Validation Test Plan.doc, Ver 1, Sept 2008 Technical Bulletin for ECP800 Ver 3.42 Software Release 2700 Coriolis Flowmeter Safety Validation Test Plan T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 7 of 25

8 [D30] 2700 SIL Validation Test Report, Ver 1.0, Nov Coriolis Flowmeter Safety Validation Test Report [D31] DA03001R101.doc Architecture Diagram for automated DVT Engine [D32] 2400sManualDVT.xls 800 Manual DVT Tests [D33] DVT, 8/18/08 Design Validation Test Report Example [D34] LINT, 8/29/08 LINT Results [D35] BFSrc.UNIT_TEST_CodeS tats.xls [D36] Review 306, Rev 1.0, 11/15/04 [D37] P/N , Rev B, 09/2006 Code Module Unit Test Results summary spreadsheet Code review example Coriolis Meter Series 1000 and 2000 Transmitters - Configuration and Use Manual [D38] LWI 186, Rev A Local Work Instruction Safety Manual Creation Guideline [D39] P/N , Rev B Model 1700 or Model 2700 Transmitter Safety Manual [D40] Tools Techniques and Measures per IEC 61508, IEC Tables, document shows all tables from IEC Annex A and B from part 2 and part 3 along with details as to how Micro Motion meets each of the requirements. [D41] Training record.jpg, 10/08 Sample of a training record for a SIL team member [D42] [D43] Control Procedure Index, 10/01/08 LWI index-boulder, 10/01/08 Index of Micro Motion Control Procedures Local Work Instructions Index for Micro Motion, Boulder [D44] PS-00400, June 2002 Product Data Sheet Series 1000 and 2000 transmitters [D45] PS-00232, April 2002 Product Data Sheet Micro Motion Flowmeters [D46] MM 2700 Fault Injection Summary rev. 2.xls [D47] /2004T, Rev 1.0, 2005-Nov-10 [D48] Pegasus Sales FY06 to FY08 Fault Injection Test Plan TUV Nord Certification Report of the 1700/2700 Coriolis Flowmeter Shipments spreadsheet for 1700/2700 [D49] Pegasus WF FY06 to FY08 Warranty Failure data spreadsheet for 1700/2700 [D50] ER , Rev J 700 Core Processor Software Release history [D51] IEC Tables, 0.2; 1/7/2008 IEC Tables, document shows all tables from IEC Annex A and B from part 2 and part 3 along with details as to how Micro Motion meets each of the requirements. T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 8 of 25

9 2.4.2 Documentation generated by exida [R1] [R2] [R3] [R4] MiMo 08/04-67r1 R001 V2R2, 10/21/2008 MiMo 08/04-67r1 R001 V2R2, 10/21/2008 MiMO R001, V2 R2, 4/1/2005 Field_Failure_Analysis_Mic romotion 800 ECP.xls [R5] MM R001, V1 R1, 9/30/2008 FMEDA report, Coriolis Flowmeter 1700 / 2700 Transmitter, with 700 CP FMEDA report, Coriolis Flowmeter 1700 / 2700 Transmitter, with 800 ECP 1700/2700 Proven In Use Assessment exida field failure analysis summary spreadsheet to calculate failure rates based on field experience 800 Enhanced Core Processor Proven In Use Assessment [R6] MM 08/04-67 R001, V1 R1 Software Criticality Analysis / HAZOP Report [R7] [R8] [R9] MM 2700 Fault Injection Results-GPS.xls, 10/7/2008 MM R004 V1R1 IEC Assessment.doc, 12/9/08 MM R005 V1R1 IEC Assessment.doc, 12/9/08 Fault Injection Tests and Results IEC Functional Safety Assessment for Micro Motion Series 1700/2700 Flowmeters with 700 CP IEC Functional Safety Assessment for Micro Motion Series 1700/2700 Flowmeters with 800 ECP T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 9 of 25

10 3 Product Description This assessment is for the Micro Motion Coriolis Flowmeters which consists of a series CMF (Elite), T, F, H, R, DT (700 CP only) or HPC010 (800 ECP only) sensor with a Standard 700 CP or 800 ECP and a 1700 / 2700 transmitter. The Micro Motion Coriolis flowmeter is a smart device used in many different industries for both control and safety applications. The Model 1700 / 2700 features MVD technology and diagnostics. It allows for multivariable measurement of mass flow, volume flow, density, and temperature. Output options include frequency, milliamp, discrete in, discrete out, HART, Modbus, Foundation Fieldbus H1, or Profibus-PA; intrinsically safe outputs with one frequency and two milliamp outputs are also available. The analog milliamp output is used for the safety critical variable (mass flow, volume flow or density); all other outputs are considered outside the scope of Safety Instrumented Systems (SIS) usage. External Power (AC or DC) Flow Transmitter Electronics Current Output (w/hart) Misc. Non-Interfering I/O Model 700 or 800 Sensor Electronics Flow Tube Process Flow Path Figure 1 Micro Motion Coriolis Flowmeter, Parts included in the Assessment Note: See 2017 IEC Functional Safety Surveillance Audit section for the current assessed versions information. In all applications considered, the normal operating condition is when the output ma signal represents the input Flow (or Density) within the Safety Accuracy of 2%. The fail safe state for when the diagnostics determines there is a fault is configurable and may be either high or low. The Series 1700/2700 Flowmeters are classified as a Type B 1 element according to IEC 61508, having a hardware fault tolerance of 0. 1 Type B element: Complex element (using complex components such as micro controllers or programmable logic); for details see of IEC , ed T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 10 of 25

11 Figure 2 Micro Motion 2700 and an Elite Sensor (CMF100) with 700 CP in a SS housing Figure 3 Micro Motion Elite Sensor (CMF100) with 800 ECP and a 2700 T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 11 of 25

12 4 IEC Functional Safety Assessment Scheme exida assessed the development process used by Micro Motion, Inc. for this development project against the objectives of the exida certification scheme which includes subsets of IEC to Methodology The full functional safety assessment includes an assessment of all fault avoidance and fault control measures during hardware and software development and demonstrates full compliance with IEC to the end-user. The assessment considers all requirements of IEC Any requirements that have been deemed not applicable have been marked as such in the full Safety Case report, e.g. software development requirements for a product with no software. As part of the IEC functional safety assessment the following aspects have been reviewed: Development process, including: o o o o o o Functional Safety Management, including training and competence recording, FSM planning, and configuration management Specification process, techniques and documentation Design process, techniques and documentation, including tools used Validation activities, including development test procedures, test plans and reports, production test procedures and documentation Verification activities and documentation Modification process and documentation o Installation, operation, and maintenance requirements, including user documentation o Manufacturing Quality System Product design o o Hardware architecture and failure behavior, documented in a FMEDA Software architecture and failure behavior, documented in a Software Criticality and Software HAZOP report Product Field History o o Hours of field operation Field failure history Existing Product Certifications o TUV IEC Certification Report for 1700/2700 Coriolis Flowmeter The review of the development procedures is described in section 5.1. The review of the product design is described in section 5.3. The review of the product field history is described in section 5.2. T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 12 of 25

13 4.2 Assessment level The Series 1700/2700 Flowmeters with either the 700 or 800 Core have been assessed per IEC to the following levels: SIL 2 capability, single use (Hardware Fault Tolerance = 0) SIL 3 capability, redundant use (Hardware Fault Tolerance = 1) The development procedures were assessed as suitable for use in applications with a maximum Safety Integrity Level of 3 (SIL 3) according to IEC T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 13 of 25

14 5 Results of the IEC Functional Safety Assessment exida Certification assessed the development process used by Micro Motion, Inc. during the product development against the objectives of the exida certification scheme which includes IEC parts 1, 2, and 3 [N1]. Some of the development of the Series 1700/2700 Flowmeters was done prior to Micro Motion establishing their fully compliant development process. Consequently for the evaluation of some of the systematic fault avoidance measures, some weight was given to proven in use considerations to offset the absence of some avoidance items. The most recent and all future modifications to the Series 1700/2700 Flowmeters must be made per the IEC SIL 3 compliant change/development process. 5.1 Lifecycle Activities and Fault Avoidance Measures Micro Motion, Inc. has an IEC compliant development process as assessed during the IEC certification. This compliant development process is documented in the SafetyCaseDB [D1]. This functional safety assessment investigated the compliance with IEC of the processes, procedures and techniques as implemented for the 1700/2700 Coriolis Flowmeter development. The investigation was executed using the exida certification scheme which includes subsets of the IEC requirements tailored to the SIL 3 work scope of the development team. The result of the assessment can be summarized by the following observations: The audited Micro Motion, Inc. development process complies with the relevant managerial requirements of IEC SIL Functional Safety Management FSM Planning The functional safety management of any Micro Motion, Inc. Safety Instrumented Systems Product development is governed by Control Procedure (CP) 18 [D2]. Micro Motion utilizes a Stage-Gate model for their product development projects. This Stage-Gate process governs all product development activity from the project kick-off through release to production and eventual discontinuance of the product. The Micro Motion Stage-Gate process is derived from the Emerson Stage-Gate process and is divided into 9 phases. For each development Micro Motion creates a Development Management Plan [D3] which defines all of the tasks that must be done to ensure functional safety as well as the person(s) responsible for each task. These processes and the procedures referenced herein fulfill the requirements of IEC with respect to functional safety management. Version Control All documents are under version control as documented in [D1]. Micro Motion, Inc. uses PVCS for its revision control of all documents and specifications related to the project. Product documentation is controlled by CP 36 and is managed using Product Data Management (PDM). Training, Competency recording Selection of the team members is handled by management in accordance with CP 18. Personnel training records are kept in accordance with IEC requirements as documented in [D1] and demonstrated in [D41]. Micro Motion, Inc. hired exida Certification to be the independent assessor per IEC T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 14 of 25

15 5.1.2 Safety Requirements Specification and Architecture Design As defined in the Development Management Plan [D3], a System Architecture and Safety Requirements Specification (SASRD) [D5] is done for all products that must meet IEC requirements. The requirements specification contains the product safety constraints, safety integrity requirements, product architecture, and the hardware and software architecture requirements. This document includes block diagrams of the overall architecture, dataflow for both hardware and software as well as identifiers for tracking of the requirements. The SASRS has been reviewed by exida. During the assessment, exida Certification reviewed the content of the specification for completeness per the requirements of IEC Requirements for the project were traced using Requisite Pro. Each requirement identified in the Customer Requirements Document can be traced to a system-level requirement. Each systemlevel requirement can then be traced to a requirement(s) in the software requirements specification(s) and/or hardware requirements specification(s). These in turn are traceable down to either a test case in the Design Verification Test plan for the software or the Test Spec for the transmitter. Requirements from IEC , Table B.1 that have been met by Micro Motion, Inc. include project management, documentation, separation of safety requirements from non-safety requirements, structured specification, inspection of the specification, semi-formal methods and checklists. [D40] & [D51] documents more details on how each of these requirements have been met. This meets the requirements of SIL Hardware Design Hardware design, including both electrical and mechanical design, is done according to [D3] and [D2]. The hardware design process includes component selection, detailed drawings and schematics, a failure modes, effects and diagnostic analysis (FMEDA), design reviews, the creating of prototypes, and hardware verification tests. Requirements from IEC , Table B.2 that have been met by Micro Motion, Inc. include observance of guidelines and standards, project management, documentation, structured design, modularization, use of well-tried components, checklists, semi-formal methods, computer aided design tools, simulation, and inspection of the specification. This meets the requirements of SIL Software Design During the prior certification process of the similar 1700/2700 Flowmeters with standard 700 core, some additional changes and enhancements to the software process were incorporated by Micro Motion. A Proven in Use analysis was performed on 1700/2700 Flowmeters with the 800 Core (section 5.2). This analysis was supplemented with a Software Criticality Analysis / HAZOP Report [R6] which further details the extra testing and analysis that was used in evaluating the software and its design process. The latest software version for the 800 core also had each of its complex modules fully module tested. Coding standards, code reviews, module testing, LINT testing, fault injection tests boundary value tests, and Design Validation Testing are all techniques now used for changes to the software. This meets the requirements of SIL 3. T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 15 of 25

16 5.1.5 Validation All safety requirements documented in the SASRD [D5] are validated by test or inspection. A validation test specification and plan [D29] was created for the Series 1700/2700 Flowmeters and reviewed as part of the assessment. Each validation test includes an explicit test to the requirement being validated. As part of the assessment, it was verified that all safety requirements were covered by one or more validation tests. Procedures are in place for corrective actions to be taken when tests fail as documented in [D1] and [D17]. Requirements from IEC , Table B.3 that have been met by Micro Motion, Inc. including functional testing, project management, documentation, and black-box testing. [D40] & [D51] documents more details on how each of these requirements are met. This meets the requirements of SIL 3. Requirements from IEC , Table B.5 that have been met by Micro Motion, Inc. include functional testing and functional testing under environmental conditions, Interference surge immunity testing, fault insertion testing, project management, documentation, static analysis, dynamic analysis, and failure analysis, expanded functional testing and black-box testing. [D40] & [D51] documents more details on how each of these requirements has been met. This meets SIL Verification The development and verification activities are defined in [D2] and [D3]. Verification activities include the following: Design Review Meetings, Hardware Verification Testing, FMEDA, Module Testing, Module Integration Test, and Software Inspection Modifications Modifications are done per Micro Motion s IEC SIL 3 compliant ECR/ECO procedure CP 36 [D17]. A large change project would be treated as a new development, and is required to go through the full new development process CP 18. Additional automatic measures have been put into place to insure that a SIL impact analysis is performed when any part or assembly that is a component on a SIL approved device is part of an ECR. This meets the requirements of IEC SIL User documentation Micro Motion, Inc. created a Safety Manual for the Series 1700/2700 Flowmeters, [D39]. This safety manual was assessed by exida. The final version is considered to be in compliance with the requirements of IEC The document includes all required reliability data and operations, maintenance, (or references to) and proof test procedures. Requirements from IEC , Table B.4 that have been met by Micro Motion, Inc. include operation and maintenance instructions, user friendliness, maintenance friendliness, project management, documentation, limited operation possibilities, protection against operator mistakes, and operation only by skilled operators. [D40] & [D51] documents more details on how each of these requirements has been met. This meets the requirements for SIL 3. T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 16 of 25

17 5.2 Proven in Use In 2005 the Series 1700/2700 Flowmeters with the 700 Core were evaluated and determined to meet the proven in use requirements of IEC (See document [R3]). This transmitter has been in the field since Back in 2005 over 50,000 units had over 300 million hours of documented run time in the field. Based on field return data, the estimated field failure rate of the device is 6.73E-07 failures per hour. The documented operating hours and field failure rate are sufficient to meet the proven in use requirements for SIL 3. A second proven in use assessment was done for transmitters with the 800 ECP [R5]. This report showed that although the failure rates were sufficient for proven in use of the hardware, however there were not enough field hours of run time of the latest software version to accept this alone as sufficient proof for a SIL 3 device. Thus the 800 ECP assessment is not wholly based on Proven in Use. This along with the other design measures used in the development of the 800 ECP meets the requirements for systematic capability of IEC Hardware Assessment To evaluate the hardware design of the Series 1700/2700 Flowmeters, a Failure Modes, Effects, and Diagnostic Analysis was performed by exida for each component in the system. This is documented in [R1] and [R2]. The FMEDAs were verified using Fault Injection Testing as part of the IEC assessment [R7]. A Failure Modes and Effects Analysis (FMEA) is a systematic way to identify and evaluate the effects of different component failure modes, to determine what could eliminate or reduce the chance of failure, and to document the system in consideration. An FMEDA (Failure Mode Effect and Diagnostic Analysis) is an FMEA extension. It combines standard FMEA techniques with extension to identify online diagnostics techniques and the failure modes relevant to safety instrumented system design. From the FMEDA failure rates are derived for each important failure category. The failure rates are valid for the useful life of the devices. These results must be considered in combination with PFD AVG of other devices of a Safety Instrumented Function (SIF) in order to determine suitability for a specific Safety Integrity Level (SIL). The analysis shows that the design of the Series 1700/2700 Flowmeters meets the hardware requirements of IEC 61508, SIL HFT=0 and SIL HFT=1. T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 17 of 25

18 IEC Functional Safety Surveillance Audit 6.1 Roles of the parties involved Micro Motion, Inc. exida exida Manufacturer of the Series 1700/2700 Flowmeters Performed the hardware assessment review Performed the IEC Functional Safety Surveillance Audit per the accredited exida scheme. Micro Motion, Inc. contracted exida in February 2017 to perform the surveillance audit for the above Series 1700/2700 Flowmeters with either the 700 or 800 Core. The surveillance audit was conducted onsite at Micro Motion s facility in Boulder, CO - USA on April 19, Surveillance Methodology As part of the IEC functional safety surveillance audit the following aspects have been reviewed: Procedure Changes Changes to relevant procedures since the last audit are reviewed to determine that the modified procedures meet the requirements of the exida certification scheme. Engineering Changes The engineering change list is reviewed to determine if any of the changes could affect the safety function of the Series 1700/2700 Flowmeters with either the 700 or 800 Core. Impact Analysis If changes were made to the product design, the impact analysis associated with the change will be reviewed to see that the functional safety requirements for an impact analysis have been met. Field History Shipping and field returns during the certification period will be reviewed to determine if any systematic failures have occurred. If systematic failures have occurred during the certification period, the corrective action that was taken to eliminate the systematic failure(s) will be reviewed to determine that said action followed the approved processes and was effective. Safety Manual The latest version of the safety manual will be reviewed to determine that it meets the IEC requirements for a safety manual. FMEDA Update If required or requested the FMEDA will be updated. This is typically done if there are changes to the IEC standard and/or changes to the exida failure rate database. Evaluate use of the certificate and/or certification mark - Conduct a search of the applicant s web site and document any misuse of the certificate and/or certification mark. Report any misuse of the certificate and/or certification mark to the exida Managing Director. Recommendations from Previous Audits If there are recommendations from the previous audit, these are reviewed to see if the recommendations have been implemented properly. T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 18 of 25

19 6.2.1 Documentation provided by Micro Motion, Inc. [D52] GWI 33, Rev F, 22-Mar-17 [D53] GWI 235, Rev F, 6-Apr-17 [D54] GWI 305, Rev K, 6-Apr-17 [D55] GWI 318, Rev AD, 6-Apr-17 [D56] GWI 320, Rev U, 6-Apr-17 [D57] GWI 321, Rev P, 6-Apr-17 [D58] GWI 336, Rev N, 24-Feb-17 [D59] GWI 355, Rev U, 30-Jan-17 [D60] GWI 371, Rev F, 6-Apr-17 [D61] GWI 380, Rev L, 20-Mar-17 [D62] LWI 15, Rev AF, 14-Apr-17 [D63] LWI 23, Rev AD, 10-Mar-17 [D64] LWI 31, Rev K, 10-Mar-17 [D65] LWI 133, Rev K, 11-Apr-17 [D66] LWI 186, Rev F, 11-Apr-17 [D67] 700 SRS REV02.DOC [D68] 700 v3 4-ADVTresults with links.xlsx [D69] 800 v4.02-advtresults with links.xlsx [D70] 800SRS.DOC, Rev A.4 [D71] CP 36-A9 SIL IAWrB 800- ECO post audit.docx [D72] CP 36-A9 SIL Impact Analysis Worksheet-RevB.docx [D73] ECOsWithSILImpacts.xlsx, [D74] SIL_Affected_SIL-AFFECTED_ rev_ag Engineering_Bill_of_Ma terials [D75] Software Tools-final.xlsx [D76] Unit Test Template.docx [D77] E , Rev CD, 18-Apr-11 [D78] E ,Rev EF, 24-Nov-14 [D79] E , Rev EG, 10-Dec-14 Sustaining Engineering Stage Gate Process RMA Evaluation Writing Standard Product Safety Product Development and Design Control Temporary Deviation Authorization Document Control Engineering Change Orders Internal Audits Product Notification Supplier Quality Manual Return Material Authorization Software Development Process Inspection, Measuring and Test Equipment Calibration Systems Architecture and Safety Requirements Guidelines Safety Manual Creation Guideline Updated SRS for 700 core changes Updated validation test results for 700 core changes Updated validation test results for 800 core changes Updated SRS for 800 core changes Updated Impact Analysis for 800 core changes with traceability Updated Impact Analysis template List of impact analyses related to engineering change orders (ECO) Hardware and Software version information List of offline SW development tools Updated unit test plan template Drawing, Com Assy F200/R200/H200 Drawing, Com Assy F050/H050/K050/R050 Drawing, Com Assy F025/H025/K025/R025 T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 19 of 25

20 [D80] E , Rev EI, 05-Nov-15 [D81] PS-00400, Rev Q, Feb 2014 [D82] ER , Rev AD, 1-Sep-16 [D83] PS , Rev A, Dec-2016 [D84] PS-00599, Rev N, Sep-2016 [D85] SIL recertification 2017 rev2 thru present_e_analysis.xlsx, 10-Mar- 17 [D86] Sensor Prodfails since April 2014.xls, 19-Apr-17 Drawing, Com Assy F100/R100/H100 Product Data Sheet, Micro Motion Series 1000 and Series 2000 Transmitters with MVD Technology HPC010 Sensor Assy Drawing HPC010P Ultra High Pressure Flowmeter Product Data Sheet H-Series Hygienic Coriolis Flow and Density Meters Product Data Sheet Global Field Return data for 1700/2700 and Cores Global Field Return data for Coriolis Sensors [D87] Field Quality Q2 FY17, 24-Mar-17 Minutes of Quality & Reliability Review Meeting [D88] Boulder MMI Cross-Site Audit.docx [D89] Cluj Cross-Site Audit Report.pptx [D90] Cross site audit AFTC.docx [D91] Cross site Audit Report Ede.docx [D92] TF Cross-site audit report March 2017.pptx [D93] Rev_Updates_GWI_LWI_ xlsx Cross Site Audit Report for Boulder CO Cross Site Audit Report for Cluj, Romania Cross Site Audit Report for Nanjing, China Cross Site Audit Report for Ede, Netherlands Cross Site Audit Report for Chihuahua, Mexico List of revisions for Control Procedures and Local Work Instructions since last certification Surveillance Documentation generated by exida [R10] EMM 04/06-22 R004 V3R4, 28-Apr-17 [R11] EMM 08/04-67 R001 V3R5, 28-Apr-17 [R12] PIU MM R1.xlsx, 28-Apr-17 [R13] EMM 08/04-67 R005 V2R1 FMEDA report, 1700 / 2700 Coriolis Flowmeter Series with Standard 700 Core FMEDA report, 1700 / 2700 Coriolis Flowmeter Series with Enhanced 800 Core 1700/2700 Proven In Use Analysis IEC Functional Safety Assessment for Micro Motion Series 1700/2700 Flowmeters (this Report) T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 20 of 25

21 6.3 Surveillance Results Procedure Changes Each of the GWI and LWI Instructions that have been updated were reviewed and were found to still be consistent with the requirements of IEC Note that the following CP s used for the original audit have been replaced with GWI s. CP5, CP18, CP20, CP21, CP36, CP71 and CP Engineering Changes Lists of Hardware and Software changes since the last audit were reviewed. Each of the changes were sufficiently evaluated for functional safety and documented in accordance with Micro Motion s procedures Impact Analysis The SIL Impact Analysis Worksheets for the hardware and software changes were reviewed and found to be sufficient given the scope of the simple changes made to this mature product Field History Worldwide Shipment and Return information was reviewed for each of the 4 main components of the 1700 / 2700 transmitter. For the returns, the WF-18 (which includes the WF-12 category) information was used. The data used was for the 3 year period between Jan 2014 to Dec Sensors Almost 190,000 Sensors were shipped and this resulted in >1.2 billion warranty operating hours. 700 Core More than 72,000 units were shipped which resulted in just under 500 million warranty operating hours. 800 Enhanced Core More than 45,000 units shipped resulted in over 300 million warranty operating hours / 2700 Transmitter Just over 120,000 units shipped and resulted in over 800 million warranty operating hours. Using even the most conservative number of units that failed and a return percentage of 50%, the total demonstrated failure rates were 2688 FIT for a 700 Core sensor plus transmitter and 1998 FIT for an 800 ECP sensor plus transmitter. Note that the 700 numbers still include some older 700 V1 designs which contribute to its higher failure rate. Both of these numbers are lower than the total failure rates listed in the FMEDA s and is evidence that no systematic issues have crept into the process. Management holds regular quality meetings to monitor this as well Safety Manual Rev BB is the current version of the safety manual and was found to be publicly available on Micro Motions website. The contents of the manual were found to be acceptable. T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 21 of 25

22 6.3.6 FMEDA Update As part of this audit, the D600 sensor has been removed from the certification as it is no longer being made. The Hygienic (H series) and High Pressure (HPC010P Series) Sensors were reviewed and added to the FMEDAs. The FMEDA analyses and reports were revised to include that the listed failure rates are suitable for use with Route 2 H Evaluate use of certificate and/or certification mark The Micro Motion website was searched and no misleading or misuse of the certification or certification marks was found Previous Recommendations No previous recommendations needed to be implemented Additional Manufacturing locations In addition to the main design and manufacturing location in Boulder CO, Micro Motion has 4 other sites that are approved to produce Sensors and finished Transmitter assemblies. These are located in Chihuahua, Mexico; Nanjing, China; Ede, Netherlands; and Cluj, Romania Assessed Configurations / Versions Some sensor models have been added and others removed in the years since the initial audit. The following table lists the current assessed configurations and Hardware/Software versions: Table 1 Assessed Configurations / Versions 1700 Series 2700 Series Sensors Hardware Software/Firmware (listed versions or later) Micro Motion Coriolis Flowmeter with 1700 transmitter with 700 CP or 800 ECP and Analog Output or Intrinsically Safe Output (output codes A or D) Micro Motion Coriolis Flowmeter with 2700 transmitter with 700 CP or 800 ECP and output codes A, B, C or D Elite, T, F, H, R, DT (700 CP only) or HPC010 (800 ECP only) Based on rev AG BOM (or later) 1700/2700: v core: v3.40 or 800 core: v4.02 The validation data for adding the H and HPC010P series sensors was reviewed onsite at the audit. T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 22 of 25

23 7 Terms and Definitions Architectural Constraint exida criteria Fault tolerance FIT FMEDA HART HFT PFD avg SFF SIF SIL SIS Systematic Capability Type A element Type B element The SIL limit imposed by the combination of SFF and HFT for Route 1 H or by the HFT and Diagnostic Coverage (DC applies to Type B only) for Route 2 H A conservative approach to arriving at failure rates suitable for use in hardware evaluations utilizing the 2 H Route in IEC Ability of a functional unit to continue to perform a required function in the presence of faults or errors (IEC , 3.6.3) Failure In Time (1x10-9 failures per hour) Failure Mode Effect and Diagnostic Analysis Highway Addressable Remote Transducer Hardware Fault Tolerance Average Probability of Failure on Demand Safe Failure Fraction summarizes the fraction of failures, which lead to a safe state and the fraction of failures which will be detected by diagnostic measures and lead to a defined safety action. Safety Instrumented Function Safety Integrity Level Safety Instrumented System Implementation of one or more Safety Instrumented Functions. A SIS is composed of any combination of sensor(s), logic solver(s), and final element(s). The SIL limit imposed by the capability of the products manufacturer. Non-Complex element (using discrete components); for details see of IEC Complex element (using complex components such as micro controllers or programmable logic); for details see of IEC T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 23 of 25

24 8 Status of the document 8.1 Liability exida prepares reports based on methods advocated in International standards. Failure rates are obtained from a collection of industrial databases. exida accepts no liability whatsoever for the use of these numbers or for the correctness of the standards on which the general calculation methods are based. 8.2 Releases Version: Revision: V2 R1 Version History: V2, R1: Updated with 2017 Re-Cert audit, combined 700 and 800 Core reports, and added H & HPC Sensors, G Sauk, 1-May-2017 V1, R5: updated FMEDA report reference, RPC, V1, R4: updated for R sensors; updated FMEDA reference, RPC, V1, R3: updated for renewal certification to IEC 61508:2010, 2 nd ed., JCY, May 22, 2014 V1, R2: updated for renewal certification, JCY, April 30, 2012 V1, R1: Revised some terminology, Released to Micro Motion, Inc.; December 9, 2008 V0, R1: Internal Draft; November 18, 2008 Authors: John Yozallinas - Gregory Sauk Review: V0, R1: William M. Goble (exida); December 5, 2008 V1, R3: Griff Francis, May 12, 2014 V2, R1: John Yozallinas, May 1, 2017 Release status: Released 8.3 Future Enhancements At request of client T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 24 of 25

25 8.4 Release Signatures John Yozallinas, CFSE, Senior Safety Engineer Gregory Sauk, CFSE, Senior Safety Engineer T-034 V5R3 exida 80 N. Main St, Sellersville, PA Page 25 of 25